HTTP 请求 Sniffer 很多工具可以做,至于 HTTPS 则使用 Charles 做中间人攻击也可以拿到全部 HTTPS 请求的细节,并且不限定于 iOS(具体方法这里就不说了,不是本文重点)。
但是,这些协议层的分析往往只能分析协议细节,想要深度追踪 HTTP/HTTPS/UIWebView 数据的生成细节的话,很多时候还是无能为力的。此时我们需要定位到数据生成的进程、模块、调用堆栈,进而找到相关代码继续做逆向工程分析——HttPeek 插件就是这样用途的插件,用法:
-
在已越狱的系统中安装 Cydia Substrate;
-
把 HttPeek.dylib 点此下载 放到 Cydia Substrate 的插件目录中(/Library/MobileSubstrate/DynamicLibraries),并重启设备或相关进程;
-
操作重现,确保你期望监听的 HTTP/HTTPS/UIWebView/SSL 请求已发生;
-
在 /tmp/%进程名称%.req 目录中获取改进程所有的 HTTP/HTTP/UIWebView/SSL 请求细节的日志,比如:
FROM /System/Library/PrivateFrameworks/iTunesStore.framework/iTunesStore(0x3990e000)-<redacted>(0x399183e1=>0x0093e1) <( 0 HttPeek.dylib 0x0199fcb1 _Z10LogRequestP12NSURLRequestPv + 496 1 HttPeek.dylib 0x019a03cb _Z22$NSURLConnection_startP11objc_objectP13objc_selector + 50 2 iTunesStore 0x3991880b <redacted> + 1066 3 iTunesStore 0x399183a5 <redacted> + 360 4 iTunesStore 0x399148df <redacted> + 386 5 iTunesStore 0x3991f78b <redacted> + 598 6 iTunesStore 0x3991e421 <redacted> + 544 7 iTunesStore 0x399137cd <redacted> + 288 8 iTunesStore 0x39912c69 <redacted> + 620 9 iTunesStore 0x3991230d <redacted> + 276 10 iTunesStoreUI 0x39a636bb <redacted> + 354 11 iTunesStoreUI 0x39a63011 <redacted> + 164 12 iTunesStore 0x399137cd <redacted> + 288 13 iTunesStore 0x39912c69 <redacted> + 620 14 Foundation 0x315c07db <redacted> + 770 15 Foundation 0x31664995 <redacted> + 60 16 libdispatch.dylib 0x3b5bb68f <redacted> + 110 17 libdispatch.dylib 0x3b5bcd71 <redacted> + 220 18 libdispatch.dylib 0x3b5bcf59 <redacted> + 56 19 libsystem_pthread.dylib 0x3b6f7dbf _pthread_wqthread + 298 20 libsystem_pthread.dylib 0x3b6f7c84 start_wqthread + 8 )> POST: https://play.itunes.apple.com/WebObjects/MZPlay.woa/wa/signSapSetup { "Accept-Language" = "zh-Hans"; Cookie = "mzf_odc=ST1; xp_ci=3z22aB6Jz841z576zB2szwxWTgkNv; mzf_in=112351; s_vi=[CS]v1|2983AD4B05010B41-600001338012E27D[CE]; Pod=11; itspod=11; ns-mzf-inst=36-85-80-109-88-8294-112351-11-st11; session-store-id=d79638dc54b6dec6c1116ba8fe8e4d84"; "User-Agent" = "AppStore/2.0 iOS/7.0.4 model/iPhone4,1 (6; dt:73)"; "X-Apple-Client-Versions" = "GameCenter/2.0"; "X-Apple-Connection-Type" = WiFi; "X-Apple-Partner" = "origin.0"; "X-Apple-Store-Front" = "143465-19,21 t:native"; } <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>sign-sap-setup-buffer</key> <data> AgAAANIISnQ/0ZM7Y5AO05eY5ugZbrkHNJoRsyFGn+P03FNKZTQmjN/Ha0pbt9Xkfgjz rrdfL3kxiThvq7duDjJp3GO7OatGg7Iyr7x/RJtClXmAoK2uL0rjxqyN36cgIbmYrP2I ZidsvuCHDj13S77kleOuKkuGFZN3JxIMm0OfJG7sqL/GO+2Upo8k0adRhiMj9asFhCxI LdxM2hcZ30cXKhV+fCRYybJm4UHX33lHAWed+6rty6gMzK+m/QbUWhTR2XCWOrEFs+qM Xq1QULQ3kJGPlVYFHaFoVDXRzfsNLTCsql353InFNdTxMdNTxqt9YqmmT+apJTHUq8xA +C9FOQ6G/u35sTGOZUUPxtjTiauYdfYgBs5ULIjwCQAAADCsp7cq8VDLhfHkRGX0idYF kNxP/T1GaG1V0U9kWE0gT5cFAPe464nMsRgxouM2wwEf4hsJkobd98rw1a4xrOAEtFn1 iw== </data> </dict> </plist>
可以看到,Charles 等常规 Sniffer 软件中能看到的发送和接收细节都有,此外还有完整的 CallStack 记录,上例中一看就知道数据是 /System/Library/PrivateFrameworks/iTunesStore.framework/iTunesStore 这个模块发送的的请求,在 Xcode 的 iOS SDK 中可以找到这个模块,进而继续逆向分析它。
PS1:HttPeek 还支持 UIWebView Request、UIAplicaiton openURL、SSLRead/SSLWrite、CFReadStreamCreateForHTTPRequest 的监听,同时还支持SSL 认证禁用(以便使用中间人代理来分析 SSL 网络交互)。
PS2:源代码可获取:https://github.com/Yonsm/HttPeek。